National News

How the NSA recruits in a post-Snowden world

There’s a truism you’ll hear repeated in computer security circles: if the NSA wants to get inside your computer, they’re already in. So when Jacob Applebaum stepped on stage last month at the 30th annual Chaos Communication Congress in Hamburg, Germany his audience had an idea of what was coming.

Over the next hour, Applebaum, a Wikileaks ally and core engineer of the Toranonymity software, revealed the technology and tactics the NSA uses to “get the un-gettable,” executed by an elite unit known as Tailored Access Operations, or TAO. Unlike the data mules and mathematicians that fill the rest of the agency, TAO is made up of what can only be described as hackers, specially trained to break into computers and steal sensitive data—a role the NSA more eloquently calls “Computer Network Exploitation.” But how the agency came to rely on such highly skilled operators is a story unto itself.

Based in a heavily-guarded section of the NSA’s Fort Meade, Maryland, headquarters and other facilities around the country, TAO is reportedly the biggest part of the NSA’s Signals Intelligence Directorate, with over 1,000 military and civilian personnel. According to documents published in Der Spiegel, TAO’s hackers have exploited vulnerabilities in consumer products, like Apple’s ubiquitous iPhone, and have a massive catalog of technology and techniques at their disposal. One device, built by an R&D division called ANT, can break into protected WiFi networks from up to eight miles away. Agents are even known to intercept packages in the mail to implant spyware on computers ordered online, a process the agency calls “interdiction.” In all, NSA specialists have reportedly compromised more than 100,000 machines worldwide, and use a radio frequency technology, which allows them to remotely access computers even when they’re not connected to the Internet.

There’s some irony here: when you think about the skillset required for such feats, Applebaum’s audience at the congress neatly fits the bill. The annual jirga of German hackers and activists is attended by some of the world’s most talented computer security specialists who, under different circumstances, might have found their way into the flock of the NSA, Britain’s GCHQ, or a similar state intelligence service.

At first blush, it’s at these hacker meet-ups where intelligence agencies seem to search for the brightest minds to pluck into their ranks. Such cases are rare exceptions, however. Two years ago at the world-famous Def Con hacking conference in Las Vegas, NSA director General Keith Alexander showed up in T-shirt and blue jeans to deliver a keynote on the “shared values” of the hacker and intelligence communities—a first of its kind for the event. The agency had its own table in the vendor hall, and a special recruitment website was set up for the festivities.

An electronic pamphlet reassured the curious: “If you have a few, shall we say,indiscretions in your past, don’t be alarmed.” It added: “By the way, if you think you saw cool things at DEF CON® 20, just wait until you cross the threshold to NSA, ‘cause you ain’t seen nothing yet.”

It was unusually aggressive posturing for the secretive agency, and the patronizing sting felt by attendees was part of a long-standing culture clash between hackers and government spooks. But no one was quite ready the following year, when a twenty-something systems administrator began leaking documents on the NSA’s mass-surveillance programs.